I am running nginx on port 8080, now I like to make it accessible from the internet, for that I open a port on my Router, next I add some rules to my PF, but a sniff from wireshark I see port unreachable:
2013-01-16 19:15:57.376545 IP 192.168.1.2.34891 > XXX.XXX.XXX.XXX.8080: Flags [S], seq 1885349577, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 10383901 ecr 0], length 0
2013-01-16 19:15:57.378853 IP XXX.XXX.XXX.XXX.8080 > 192.168.1.2.34891: Flags [FR.], seq 0, ack 1885349578, win 0, length 0
2013-01-16 19:15:57.378910 IP XXX.XXX.XXX.XXX > 192.168.1.2: ICMP XXX.XXX.XXX.XXX tcp port 8080 unreachable, length 36
2013-01-16 19:15:57.379250 IP 192.168.1.2.53838 > XXX.XXX.XXX.XXX.8080: Flags [S], seq 2116090664, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 10383904 ecr 0], length 0
2013-01-16 19:15:57.380858 IP XXX.XXX.XXX.XXX.8080 > 192.168.1.2.53838: Flags [FR.], seq 0, ack 2116090665, win 0, length 0
2013-01-16 19:15:57.380912 IP XXX.XXX.XXX.XXX > 192.168.1.2: ICMP XXX.XXX.XXX.XXX tcp port 8080 unreachable, length 36
XXX.XXX.XXX.XXX is my external IP, and here my PF file:
ext_if = "XXX"
tcp_services = "{80, 443, 22, 53, 8080}"
udp_services = "{53}"
int_ip = "{XX.XX.XX.XX}"
int_services = "{3306 ,8080}"
icmp_types = "{echoreq}"
icmp_dang = "{13, 14, 17, 18}"
#***************************************************** Options *****************************************************
set block-policy drop
set loginterface $ext_if
set skip on lo0
#set timeout 70000
#scrub in all on $ext_if all no-df min-ttl 50 fragment reassemble
scrub out on $ext_if random-id
#***************************************************** NAT *****************************************************
nat on egress from (self) to any -> ($ext_if)
rdr on $ext_if proto {udp, tcp} from any to 192.168.1.2 port 8080 -> 192.168.1.2 port 8080
#***************************************************** Rules *****************************************************
antispoof for $ext_if
# block in&out traffic
block drop in log(all) on $ext_if all
block drop out log(all ,user) on $ext_if all
# Allow ping and MTU path discovery
pass in on $ext_if inet proto icmp all icmp-type $icmp_types
pass out on $ext_if inet proto icmp all icmp-type $icmp_types
pass inet proto icmp all icmp-type unreach code needfrag
# pass out tcp&udp traffic for some ports
pass out on $ext_if inet proto tcp from any to any port \
$tcp_services keep state
pass out on $ext_if inet proto udp from any to any port \
$udp_services keep state
pass out on $ext_if inet proto {tcp, udp} from $int_ip port $int_services \
to $int_ip port $int_services keep state
# pass in tcp&udp traffic for some ports
pass in on $ext_if inet proto tcp from any port $tcp_services \
to any keep state
pass in on $ext_if inet proto udp from any port $udp_services \
to any keep state
pass in on $ext_if inet proto {tcp, udp} from $int_ip port $int_services \
to $int_ip port $int_services keep state
# pass IGMP traffic
pass in on $ext_if proto igmp all allow-opts
# Allow some ICMP types to get in
pass in inet proto icmp all icmp-type $icmp_types
I think the problem is that you specify the destination before the redirection.
If I'm not wrong you are using the older syntax (older than version 4.7) but here is how you would do it with the actual syntax.
I'm pretty sure this can be used just like this;
Also, unless this is a very old installation, the
keep state
option is not necessary since it's the default behavior of PF to keep state on connections.